Powers to require retention of certain data

Investigatory Powers Bill – in a Public Bill Committee am 2:30 pm ar 19 Ebrill 2016.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office) 2:30, 19 Ebrill 2016

I beg to move amendment 164, in clause 78, page 61, line 5, leave out subsection (1) and insert—

“(1) A Judicial Commissioner may issue a data retention warrant under this Part to authorise the retention of relevant communications data if the Judicial Commissioner considers that the authorisation is necessary and proportionate for one or more of the following purposes—

(a) in the interests of national security, or

(b) for the purpose of preventing or detecting serious crime, or

(c) for the purpose of preventing death or serious injury.”

Photo of Nadine Dorries Nadine Dorries Ceidwadwyr, Mid Bedfordshire

With this it will be convenient to discuss the following:

Amendment 165, in clause 78, page 61, line 10, leave out “A retention notice may” and insert “A data retention warrant must”.

Amendment 154, in clause 78, page 61, line 19, leave out “notice” and insert “warrant”.

Amendment 155, in clause 78, page 61, line 30, leave out “retention notice” and insert “retention warrant”.

Amendment 235, in clause 78, page 61, line 30, leave out second “notice” and insert “warrant”.

Amendment 156, in clause 78, page 61, line 32, leave out “notice” and insert “warrant”.

Amendment 157, in clause 78, page 61, line 33, leave out “notice” and insert “warrant”.

Amendment 158, in clause 78, page 61, line 34, leave out “notice” and insert “warrant”.

Amendment 159, in clause 78, page 61, line 36, leave out “notice” and insert “warrant”.

Amendment 160, in clause 78, page 61, line 37, leave out “notice” and insert “warrant”.

Amendment 161, in clause 78, page 61, line 38, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 162, in clause 78, page 61, line 41, leave out “notice” and insert “warrant”.

Amendment 166, in clause 79, page 62, line 26, leave out “notice” and insert “warrant”.

Amendment 220, in clause 79, page 62, line 26, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 168, in clause 79, page 62, line 28, leave out “notice” and insert “warrant”.

Amendment 169, in clause 79, page 62, line 30, leave out “notice” and insert “warrant”.

Amendment 170, in clause 79, page 62, line 31, leave out “notice” and insert “warrant”.

Amendment 171, in clause 79, page 62, line 32, leave out “notice” and insert “warrant”.

Amendment 172, in clause 79, page 62, line 33, leave out “notice” and insert “warrant”.

Amendment 173, in clause 79, page 62, line 35, leave out “notice” and insert “warrant”.

Amendment 174, in clause 79, page 62, line 35, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 176, in clause 80, page 62, line 38, leave out “notice” and insert “warrant”.

Amendment 198, in clause 80, page 62, line 40, leave out “back to the Secretary of State” and insert “to the Investigatory Powers Commissioner for review”.

Amendment 335, in clause 80, page 62, line 40, leave out “notice” and insert “warrant”.

Amendment 177, in clause 80, page 62, line 41, leave out “notice” and insert “warrant”.

Amendment 178, in clause 80, page 62, line 42, leave out “notice” and insert “warrant”.

Amendment 180, in clause 80, page 63, line 5, leave out “notice” and insert “warrant”.

Amendment 181, in clause 80, page 63, line 6, leave out “notice” and insert “warrant”.

Amendment 199, in clause 80, page 63, line 7, leave out “Secretary of State” and insert “the Investigatory Powers Commissioner”.

Amendment 182, in clause 80, page 63, line 7, leave out “notice” and insert “warrant”.

Amendment 183, in clause 80, page 63, line 8, leave out “notice” and insert “warrant”.

Amendment 200, in clause 80, page 63, line 10, leave out “Secretary of State” and insert “the Investigatory Powers Commissioner”.

Amendment 201, in clause 80, page 63, line 12, leave out subsection (b).

Amendment 184, in clause 80, page 63, line 14, leave out “notice” and insert “warrant”.

Amendment 185, in clause 80, page 63, line 16, leave out “notice” and insert “warrant”.

Amendment 193, in clause 80, page 63, line 19, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 194, in clause 80, page 63, line 24, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 202, in clause 80, page 63, line 25, leave out “Secretary of State” and insert “Investigatory Powers Commissioner”.

Amendment 249, in clause 80, page 63, line 25, leave out “and the Commissioner”.

Amendment 186, in clause 80, page 63, line 27, leave out “notice” and insert “warrant”.

Amendment 187, in clause 80, page 63, line 28, leave out “notice” and insert “warrant”.

Amendment 188, in clause 80, page 63, line 30, leave out “notice” and insert “warrant”.

Amendment 203, in clause 80, page 63, line 31, leave out “Secretary of State” and insert “Investigatory Powers Commissioner”.

Amendment 197, in clause 80, page 63, line 33, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 189, in clause 80, page 63, line 33, leave out “notice” and insert “warrant”.

Amendment 204, in clause 83, page 64, line 13, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 210, in clause 83, page 64, line 13, leave out “notice” and insert “warrant”.

Amendment 205, in clause 83, page 64, line 14, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 206, in clause 83, page 64, line 15, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 211, in clause 83, page 64, line 22, leave out “notice” and insert “warrant”.

Amendment 207, in clause 83, page 64, line 23, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 212, in clause 83, page 64, line 27, leave out “notice” and insert “warrant”.

Amendment 213, in clause 83, page 64, line 28, leave out “notice” and insert “warrant”.

Amendment 214, in clause 83, page 64, line 31, leave out “notice” and insert “warrant”.

Amendment 215, in clause 83, page 64, line 32, leave out “notice” and insert “warrant”.

Amendment 216, in clause 83, page 64, line 34, leave out “notice” and insert “warrant”.

Amendment 217, in clause 83, page 64, line 36, leave out “notice” and insert “warrant”.

Amendment 218, in clause 83, page 64, line 37, leave out “notice” and insert “warrant”.

Amendment 208, in clause 83, page 64, line 38, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 370, in clause 83, page 64, line 39, leave out “notice” and insert “warrant”.

Amendment 372, in clause 83, page 64, line 40, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 209, in clause 83, page 64, line 41, leave out “Secretary of State” and insert “Judicial Commissioner”.

Amendment 219, in clause 83, page 65, line 7, leave out “notice” and insert “warrant”.

Amendment 221, in clause 83, page 65, line 9, leave out “notice” and insert “warrant”.

New clause 7—Persons who may apply for issue of warrant—

“(1) Each of the following organisations may apply for a communications data retention warrant—

(a) a police force maintained under section 2 of the Police Act 1996,

(b) the Metropolitan Police Force,

(c) the City of London Police Force,

(d) the Police Service of Scotland,

(e) the Police Service of Northern Ireland,

(f) the British Transport Police Force,

(g) the Ministry of Defence Police,

(h) the Royal Navy Police,

(i) the Royal Military Police,

(j) the Royal Air Force Police,

(k) the Security Service,

(l) the Secret Intelligence Service,

(m) GCHQ, and

(n) the National Crime Agency.”

New clause 10—Requirements that must be met by warrants—

“(1) A warrant issued under this Part must name or otherwise identify the person or persons, organisation, premises, or location to which the warrant relates.

(2) A warrant issued under this Part must describe the investigation or operation to which the warrant relates.

(3) A warrant issued under this Part must relate to one or more of the following purposes—

(a) in the interests of national security, or

(b) for the purpose of preventing or detecting serious crime, where there is reasonable suspicion that a serious criminal offence has been or is likely to be committed, or

(c) for the purpose of preventing death or injury.

(4) A warrant may only be issued under this Part if there are reasonable grounds for believing that the material is likely to be of substantial value to the investigation or operation to which the warrant relates.”

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I will not say, at this stage, that I am withdrawing all of those amendments.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

It is a joke, Ms Dorries. We now come to a very important clause. In some respects, over the last part of Thursday and today we have been working backwards through the way in which the functions will be exercised, because clause 78 is the starting point in relation to communications data. It relates to the power to require retention of data in the first place, and everything we have discussed has been about how those data can be filtered and accessed after they have been retained. It is a very important clause.

I draw attention to the breadth of the clause, which states:

“The Secretary of State may by notice…require a telecommunications operator to retain relevant communications data if the Secretary of State considers that the requirement is necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (j) of section 53(7)”.

The first thing that crops up in relation to the clause is what the test for retention is. The test is, of course, necessity and proportionality but the real question is: what does that necessity and proportionality bite on? That pushes us straight back to clause 53(7), which is problematic because it sets such a low threshold for these extensive retention powers.

There should be no doubt that this provision gives the Secretary of State the power to require the retention of a huge amount of data. There may be circumstances in which that is necessary and proportionate, but the test for whether that power is exercised is pushed all the way back to clause 53(7). To take an example that we touched on last week, extensive data can be retained

“for the purpose of preventing or detecting crime”— any crime. Any crime of any level can trigger a power to retain data. The importance of the issue of retention over that of access is that at this stage it is about retaining the data of those who are not necessarily suspects or targets but anybody whose data come within the types that are intended to be retained. It is a very wide provision.

Sign-off is by the Secretary of State, so there is no double lock and no reference to a judicial commissioner here. The Secretary of State operates the powers, which are very wide. Clause 78(2) states that

“a retention notice may…relate to a particular operator”; it may

“require the retention of all data or any”; it may

“identify…periods for which data is to be retained”; it may “contain…restrictions” and

“make different provision for different purposes,”; and it may “relate to data” that are not even in existence at the time. These are very wide-ranging powers triggered by the test set out in clause 53(7), and that is a cause of significant concern. The retention period is 12 months, so this is an extensive hoovering-up exercise.

It is clear that the clause applies to internet connection records, because that is stated in subsection (9). We touched on internet connection records last week in relation to when internet connection records are to be accessed. Now, I touch on it for a different purpose: to highlight how all our internet connection records can be swept up in a data retention notice issued under this provision.

For that purpose, one obviously starts with the definition of internet connection record in clause 54(6)(a) and (b), which we looked at last week. I will not read it out again but just give some examples of what is intended to be included. I will do so in chronological order. The operational case for the retention of internet connection records was published in August last year. Page 3 made it clear that internet connection records are:

“a record of the internet services that a specific device connects to—such as a website or instant messaging application—captured by the company providing access to the internet”.

So that is within the scope of an internet connection record, as set out in the operational case of August 2015. An annexe setting out terminology and definitions was put in evidence before the Joint Committee in January this year, which made it clear that not only web and IP addresses are included, but names and addresses, email addresses, phone numbers, billing data, customers, users, and so on. In the explanatory notes to the Bill, paragraph 2.30, on clause 78(9) makes it clear that,

“communications data that can be retained includes internet connection records. Internet connection records, which are defined in clause 54(6), are a record of the internet services that a specific device connects to—such as a website”

That is therefore consistent with the operational case.

What is swept up under clause 78 are internet connection records, which means connections to the internet and websites to which any device has connected. When anyone uses a device to connect to a website, that is recorded by the provider and comes within the definition. It therefore comes within the retention order. That is what the clause gives the Secretary of State power to retain.

It is fair to point out that clause 54(4), which deals with accessing the data that are retained, says that the access through an authorisation can be allowed only if the purpose is to identify: which person is using the internet, which internet service is being used, where the person or apparatus whose identity is already known is, and so on. It is true to say that on the point of access there is restriction of the way in which internet connection records are accessed, but we need to be absolutely clear that for the purpose of retention, it is a record of all websites visited or accessed by a device.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

I do not doubt that my hon. and learned Friend the Solicitor General will deal with these points at some length, but is it not fair to say—the hon. and learned Gentleman is in the mood to be fair—that the two subsequent clauses both build a set of safeguards into the system and provide for a review of the system? There is further work in the Bill that caveats what might be taken to be the extremes of his argument.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office) 2:45, 19 Ebrill 2016

I am grateful for that intervention, and I accept that there are safeguards in subsequent provisions. I will be corrected if I am wrong, but on the face of it at least—I am not saying they are incapable of a review—the safeguards do not restrict the definition of an internet connection record in a way that would prevent websites visited being swept up in the retention order.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

The message to my and all of our constituents is that, even if they are not a target, a record of the websites they have visited can be retained under a data retention order, and if retained will be retained for 12 months—every website they have visited. But if somebody later wants to access it, there is then a tighter test for that. The chilling effect of clause 78 is that the websites visited will be retained if a retention order is issued. We need to be absolutely clear about that. The tighter definition does not kick in until a later stage of the exercise, and that is a cause of real concern to our constituents, certainly to the people who have engaged with me on the topic, and to our fellows across both sides of the House.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I note what the hon. and learned Gentleman says about web addresses being revealed. Is it not also the case that we see from the data released by the Home Office, after being pressed about its factsheet accompanying ICRs, that what will be revealed are not only web addresses and IP addresses, but the names, addresses, email addresses, phone numbers and billing data of customers—our constituents?

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I cannot double check on my feet, but that sounds like the further evidence that was put before the Joint Committee when it was in the middle of its deliberations. In fairness, the Home Office did go beyond websites to include some, maybe all, of the matters to which the hon. and learned Lady just referred.

The way this will operate in practice is a cause of real concern. The Secretary of State, without the double check of a judicial commissioner, and operating against a low-level threshold—clause 53(7)—can issue a retention order that will permit the retention of a record of all the websites that somebody has visited. That record will then be kept for 12 months, albeit with a different test if it is to be accessed later.

The amendments—I think you have called them the first set of amendments, Ms Dorries—are intended to construct in the first instance a different framework around this power, because it is so extensive, and put it in the hands of a judicial commissioner rather than the Secretary of State. That would provide a greater safeguard in relation to clause 78, with independent oversight through the function of the judicial commissioner. Alternatively, amendments 152, 153 and 222 would give the Investigatory Powers Commissioner some oversight. In other words, the intention behind these amendments is to put some rigour and independence into the exercise of what is a very wide power that, in fact, is the starting point for the exercise of all the other powers under the parts of the Bill that we are now concerned with.

An anxiety that has been expressed on a number of occasions about cost. Huge amounts of data could be required for retention under clause 78. The Government have estimated the cost at £170 million. That is considered to be a gross underestimate by those who will no doubt be called upon to actually retain the data. For those reasons, these amendments are intended to tighten up a clause that is very wide and very loose. It permits a huge amount of data to be retained, including websites visited by you, by me, or by our constituents.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

It is a great pleasure to rise as part of this ongoing scrutiny, and to offer my hon. and learned Friend the Member for Edinburgh South West a brief respite in this Committee. It is also a great pleasure to serve under your chairmanship, Ms Dorries. It is great to follow the hon. and learned Member for Holborn and St Pancras, who in his customary fastidious and engaging manner has covered in a short space of time all the aspects of many amendments. Some of that bears repeating, and I will speak to new clause 10, which is tabled in my name and that of my hon. and learned Friend the Member for Edinburgh South West.

My hon. and learned Friend spoke at length about the important role that the judiciary, in the form of judicial commissioners, should bring to this process. We do not think it is good enough that the Bill only proposes to use judicial commissioners to review the process used by the Secretary of State in making a decision. The Government may claim that it is important that the Home Secretary retains the power to issue retention notices to internet service providers, as it will ensure that democratic accountability is a salient feature of the process, but I do not accept that to be the case. In fact, I would argue that because of the political arena that any Home Secretary operates in, it is right that this power is handed to and delegated to an independent official such as a judicial commissioner.

It is also worth noting that we know very little of the various notices that the Home Secretary issues, and as such there is no possible opportunity to hold her to account for them. Building the role of judicial commissioners into this part of the process will help to ensure that we have appropriate checks and balances when it comes to the retention of communications data. This is vitally important, because it is the proper constitutional function of the independent judiciary to act as a check on the use of intrusive and coercive powers by state bodies, and to oversee the application of law to individuals and organisations. Liberty rightly points out that judges are professionally best equipped to apply the legal tests of necessity and proportionality to ensure that any surveillance is conducted lawfully.

I turn now to new clause 7. Schedule 4 provides a lengthy list of bodies that are able to access or retain data, including several Government Departments, such as the Department for Transport, and a range of regulatory bodies, such as the Food Standards Agency and the Gambling Commission. This suggests that access to communications data may be allowed for a range of purposes which may be disproportionate and inconsistent with the guidance offered by the European Court of Human Rights.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

I draw the hon. Gentleman’s attention to clause 79, which we are not debating at the moment but which is directly relevant to the point he made about proportionality. Clause 79(1)(a) states:

“(1) Before giving a retention notice, the Secretary of State must, among other matters, take into account—

(a) the likely benefits of the notice”.

To me, that would be a pretty strong way of enforcing proportionality. Yet the hon. Gentleman is in his peroration claiming that that would not be taken into account, or not sufficiently so.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I am grateful for the Minister’s intervention. I appreciate that that is a safeguard, but we must ask whether those Departments should be getting access in the first place.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

I do not want to be unnecessarily brutal with the hon. Gentleman, but either he is making an argument about proportionality or he is not. If he is saying that nothing is proportional, then it should not happen at all, that is hardly an argument about proportionality. Those of us who take a more measured view of these things are considering whether such collection and access to data are proportionate. Proportions by their nature require an assessment of balance, do they not? Yet the hon. Gentleman is suggesting that the scales are weighted all on one side.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

The Minister did not actually address why these Departments need access to this data in the first place. I appreciate the point that he is making, but these Departments should not, in my view, require access to this information.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

The Minister talked about the duty to take into account the likely benefits of the notice, but does my hon. Friend agree that something may be beneficial without being necessary?

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I agree with my hon. and learned Friend. We are not opposed to every measure in the Bill. There are benefits, but unfortunately they are not covered by enough safeguards and are not drawn tightly enough. I would like to make progress but I will give way once more.

Photo of Simon Hoare Simon Hoare Ceidwadwyr, North Dorset

I apologise if I missed the hon. Gentleman outlining the Departments, but could he tell me which ones should be excluded and not have access to this?

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

That has been dealt with at length. I have already mentioned the Food Standards Agency as one of the regulatory bodies. Schedule 4 does currently provide a lengthy list of bodies that should be able to access the data. New clause 7 would ensure that only the police forces and security agencies may request a communications data warrant, except where the warrant is issued for the purpose of preventing death, in which circumstances emergency and rescue services also fall within the definition.

New clause 10 outlines the requirements that must be met by warrants.

Photo of Simon Hoare Simon Hoare Ceidwadwyr, North Dorset

As, for example, the Food Standards Agency cannot itself bring a prosecution, may I conjure in the hon. Gentleman’s mind a situation whereby a criminal gang, as part of its activities, seeks to bring into the United Kingdom for sale to the British public a contaminated food source? Is that not something to which the Food Standards Agency should have access to information in order to ensure that citizens and consumers are safe?

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I understand the hon. Gentleman’s point, but surely the police would be interested in that scenario and would have access.

Photo of Simon Hoare Simon Hoare Ceidwadwyr, North Dorset

In the abstract—by golly, isn’t this debate being held in the abstract?—the hon. Gentleman is absolutely right, but we invest the powers with the agency. The police are not an infinite resource. If we have the many who are charged with multiple areas of our lives—

Photo of Nadine Dorries Nadine Dorries Ceidwadwyr, Mid Bedfordshire

Order. Mr Hoare, can we keep it to an intervention, please, not a speech?

Photo of Simon Hoare Simon Hoare Ceidwadwyr, North Dorset

Forgive me. The hon. Gentleman knows my point.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

These powers are very large and we should limit who has access to them. The police can pass on the relevant information to the agencies that can deal with that particular incident, but in my view, only the police and security forces should have access. I want to finish my point on new clause 10 but I will allow one last intervention.

Photo of Victoria Atkins Victoria Atkins Ceidwadwyr, Louth and Horncastle

I want to understand the hon. Gentleman’s understanding of how cases are prosecuted in England and Wales, if not in Scotland. Is the hon. Gentleman saying that Her Majesty’s Revenue and Customs, for example, should not have access to any of these powers? Is the hon. Gentleman saying that the investigation of economic crime that can potentially alter the GDP of another member state is not worthy of these powers? I wonder what the differentiation is between those organisations he thinks should have these powers and those that cannot. At the moment, it is not clear.

Photo of Nadine Dorries Nadine Dorries Ceidwadwyr, Mid Bedfordshire

Order. May I just ask that interventions be kept short, please, or we will be here all night? Mr Newlands.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I appreciate what the hon. Lady says but, as I am not a lawyer, I am struggling to distinguish the difference between Scottish and English law. Perhaps my colleague could address that.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

My hon. Friend will no doubt agree that, in Scotland at least, it is the police who investigate serious crime, under the direction of the Lord Advocate.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

The point has been dealt with, and I think we need to move on. The effect of new clause 10 —[Interruption.] I will finish, amid the chuntering. These new clauses require data retention notices to be issued only for specific investigative or operational purposes, to obtain specified data where those data are believed to be of substantial value. We do not believe, however, that the role of communications data in the investigation of crime justifies the Secretary of State’s mandate for blanket retention of historical communications data for the entire population for 12 months.

Instead of the Secretary of State imposing an arbitrary and speculative data retention notice to cover the entire population, we propose that police forces should be able to apply to a judicial commissioner for targeted data retention warrants, where data is required for specific purposes. Building the role of judicial commissioners into that part of the process will help to ensure that we have appropriate checks and balances when it comes to retention of communications data. That is vital, as it is a proper constitutional function of the independent judiciary to act as a check on the use of intrusive and coercive powers by the state.

Photo of Chris Matheson Chris Matheson Llafur, City of Chester 3:00, 19 Ebrill 2016

I am delighted to see you back in the Chair, Ms Dorries, as I break my couple of sessions’ silence; it is always very reassuring. I certainly do not wish to keep the Committee here all night, but I will reiterate a point that I made earlier in our considerations, and that relates to the retention of certain data. As my hon. and learned Friend the Member for Holborn and St Pancras pointed out, we understand the need for data retention. However, on looking at the Bill, I am still not entirely satisfied that the Government have taken into account the need for additional security for data retention.

I look to the Minister for reassurance that, when telecommunications and internet providers and suchlike are obliged to retain data, there is a consequent obligation on them to maintain it securely. We know that several such providers have problems with internet security: we saw that with the TalkTalk hack, and we believe another large provider has been hacked recently. Those attacks were on personal data; the Solicitor General and I have had exchanges in this room about the potential for charging them as theft—about whether the sanctions against somebody who committed that offence would be contained in existing legislation.

This part of the Bill needs to look at obliging or maintaining a minimum acceptable level of security, to provide security and privacy for people whose data may have been accepted. I realise that it might not necessarily be covered in detail in the new clause, but now might be a good time for the Ministers to consider whether they believe internet security and the security of personal data held under the terms of clause 79 should be considered in the Bill. Do they believe guidance should be given to telecommunications providers to maintain that security, or do they feel that it is not relevant and that they are quite satisfied with the status quo? I must say that I am not. Notwithstanding the need for the retention of individual data, as described so eloquently by my hon. and learned Friend, it remains a major concern of mine that individual privacy and data are at risk: it puts a question mark over the whole clause and over the areas we are discussing.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I am grateful to hon. Members for a wide-ranging debate. I would first like to reiterate on behalf of the Government the position adopted by the Joint Committee on the draft Investigatory Powers Bill, which quite clearly indicated its conclusion that the case was made for a retention period of up to 12 months for relevant communications data. In the report from David Anderson, QC, “A Question of Trust”, recommendation 14 is:

The Home Secretary should be able by Notice (as under DRIPA 2014 s1 and CTSA 2015 s21) to require service providers to retain relevant communications data for periods of up to a year”.

There we have it: the Government are acting upon the specific endorsement of an independent reviewer and a Joint Committee of this House. There is an element of the waving of the proverbial shroud when it comes to the retention of data, because the word “relevant”, which is contained in the second line of clause 78(1), is the governing word here. It is very important to remember that this is not carte blanche for the Secretary of State to authorise communication service providers to retain everything for 12 months. That is not the case. Where there is no case of necessity and proportionality for a 12-month period, a shorter period must be adhered to. Indeed, if the material is not relevant, it falls outwith the ambit of any such authorisation.

I reassure the hon. Member for City of Chester, who makes quite proper points about the integrity of data, that he is right to make them. That issue affects all those in this room and beyond. He is also right to allude to the criminal law. I reassure him that communication service providers have to comply with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, which together contain those requirements that the data is appropriately secured. When he has the time—which I am sure is as precious to him as it is to the rest of us—chapter 16 of the draft communications code of practice contains an entire set of provisions relating to the security, integrity and, indeed, destruction of retained data, which very much underpin the principles of why CSPs have to operate and will give him the reassurance that he properly seeks about the position with regard to individual data and people’s privacy.

Data retention legislation has existed in this country since the Anti-terrorism, Crime and Security Act 2001, which allowed the Secretary of State to enter into voluntary agreements with telecommunications operators so that they could retain data that otherwise would be deleted. The Data Retention (EC Directive) Regulations 2007 were the first piece of data retention legislation that provided for the Secretary of State to require the retention of such data. We currently have DRIPA 2014 and the data retention regulations of that year. We hope to replace those with the provisions in the Bill. A very important point is that there is nothing new about these proposals. Our data retention legislation has always had the Secretary of State involved in the process and there are very good reasons for that. It has worked successfully until now. As I have indicated, it has been recommended to us by David Anderson.

The amendments that have been tabled seek to drive a coach and horses through all of that. There is a simple and blindingly obvious reason why we wish to maintain the system of data retention. For example, when a crime happens or a child goes missing, it is impossible to know in advance which data would be relevant in any subsequent investigation. It is therefore important that we require the retention of all relevant communications data that matches a certain description wherever it is necessary and important. Because it is impossible to know which data will be the most relevant in advance of any crime, it is impossible to know whether a specific piece of data will be of value to MI5 in locating a terrorist, for example, or to the National Crime Agency in identifying a paedophile, or for any other legitimate purpose. For that reason it does not make sense for those authorities to apply for retention warrants individually. What makes sense is for the requirement of all relevant public authorities to be considered together. The person best placed to do that is the Secretary of State. Public authorities set out their requirements for data retention to the Home Office and they are then carefully considered. As they usually overlap, the Secretary of State is able to identify the specific telecommunications operators and specific data types that it is necessary and proportionate to make subject to data retention notices. As the full costs of data retention are covered by the Secretary of State, only he or she can decide whether or not the benefits of data retention are proportionate to the costs.

There has been some discussion about cost again today. The £170 million figure is based on the cost of our anticipated implementation, which takes into account data that is already obtained under existing legislation. We noted the evidence of BT when it talked about the costs being dictated by its implementation approach, and we continue to discuss implementation with those communication service providers likely to be inspected. Whatever the final cost, however, the important underwriting by the Government is a vital factor in giving reassurance to the industry, not only on the practicability of these measures, but on the importance therefore of involving the Secretary of State.

My worry is that if we went down the road proposed by the amendments, we would end up with a rather confused system that would not allow for the overall benefits of retaining a particular type of data, because the judicial commissioner would only ever be able to consider the benefits to the particular public authority applying for a warrant. It would therefore be impossible to judge the overall necessity and proportionality of requiring a particular company to retain a particular dataset.

We have heard about new clause 10 and its provisions. Given that it is impossible to predict in advance what data would need to be retained, this approach relies on data being retained only after a crime has been committed and/or an investigation has begun. Preservation only works if the data is there to preserve and it is of limited benefit without an existing retention scheme. Without data retention, data protection rules require that the data that is no longer needed for business purposes must be deleted. Without data retention, the data that is needed would not exist. Therefore, the regime of warrantry—the double lock, indeed the proposals put forward by Opposition Members—none of it would matter, because the material would not be there. That is particularly relevant when it comes to the increasing move of criminals and their ilk away from conventional telecommunications to the internet and internet connections.

A number of reports published by the EU Commission show the value of communications data and why the concept of data preservation, as envisaged in new clause 10, is not a viable alternative. In a Europe-wide investigation into online child sexual exploitation, of the 371 suspects identified here in the UK, 240 cases were investigated and 121 arrests or convictions were then possible. Of the 377 suspects in Germany, which does not have a data retention regime, only seven could be investigated and no arrests were made.

I have explained why the existing data retention regime that the Bill replicates is the appropriate model. May I deal with the change proposed by a set of amendments that involve changing the word “may” to “must” in clause 78(2)? That would require a data retention notice to cover certain issues. I am sympathetic to the aim of the amendment, because I am in favour of specific requirements, but the amendment is misconceived because subsection (7) already requires that a retention notice must specify the operator to whom it relates, the data which is to be retained, the period of retention, the requirements and restrictions imposed by the notice, and information on costs. Subsection (2) sets out the scope of what a notice may require and subsection (7) requires that the notice must make clear what is required. The two subsections are therefore aimed at different things.

The effect of this amendment would be to require a notice to cover issues that it might not have any reason to cover. For example, a retention notice may

“make different provision for different purposes”.

With respect, it therefore does not make sense to say it must make different provision for different purposes, because a notice may not relate to those different purposes. I would argue that there is therefore nothing to be gained by moving these amendments. That is all I wish to say, but for those reasons I urge hon. Members to withdraw the amendments.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office) 3:15, 19 Ebrill 2016

Clause 78 is important for all the reasons that I have set out, but at this stage, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I beg to move amendment 303, in clause 78, page 61, line 12, leave out—

“of all data or any description of data” and insert

“of specified relevant communications data”.

Photo of Nadine Dorries Nadine Dorries Ceidwadwyr, Mid Bedfordshire

With this it will be convenient to discuss the following:

Amendment 304, in clause 78, page 61, line 14, leave out paragraph (2)(d).

Amendment 305, in clause 78, page 61, line 16, leave out paragraph (2)(e).

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I will not detain the Committee for too long; these issues have already largely been addressed. Amendments 304 and 305 seek to remove paragraphs (d) and (e) from clause 78(2). In a Bill replete with vagueness, those two subsections stand out as being particularly vague. The new clause that I will come to in a moment would require a data retention notice—or warrant, as we would wish—to be issued only for a specific investigative or operational purpose. The SNP has tabled amendments that will bring greater clarity to when and why a warrant would be issued.

As we know, communications data is defined as data that would be used to identify, or assist in identifying, the who, where and how. However, instead of allowing a blanket surveillance approach that treats everyone as a suspect, the amendments would allow the police to apply to a judicial commissioner for targeted retention warrants, in which data is required for the purposes of a specific investigation into serious crime, or for the purpose of preventing death or injury. I trust that these amendments are acceptable to the Government.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I rise to address the concerns of the hon. Gentleman. It is good to hear from him; I should have said that during the last group. He has made the point about his concerns of vagueness. However, I would argue that it is very important that a notice can have a degree of flexibility within it, because a single telecommunications operator may provide a number of different communications services, such as mobile telephony and internet access. However, there may be different complexities and sensitivities about the different types of communications data that are generated by those services. Considerable preliminary work is carried out between the Government and telecoms operators in advance of the service of a retention notice. That covers a number of issues, including the type of data that will be retained, the complexities of the operator’s systems, and the relevant security requirements. Flexibility is needed to ensure that the notice can appropriately reflect those issues, and that it imposes the minimum requirements necessary to meet the operational requirements.

What we are counter-intuitively getting at is to make sure that there is necessary give and take within the system to prevent what the hon. Gentleman and I would regard as an overweening approach from the Secretary of State, which would impede the ability of communications service providers to carry out their operations. For that reason, I respectfully urge him to withdraw the amendment.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I hear what the Solicitor General has said, but I do not wholly agree with him. I reserve the right to bring this back at a later stage. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I beg to move amendment 306, in clause 78, page 61, line 18, at end insert—

‘(2A) A retention notice may not require a telecommunications operator to retain any data belonging to a third party data, unless that third party data is retained by the telecommunications operator for their own business purposes.”

Photo of Nadine Dorries Nadine Dorries Ceidwadwyr, Mid Bedfordshire

With this it will be convenient to discuss amendment (a) to amendment 306, leave out “notice” and insert “warrant”.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Amendment 306 would insert at the end of clause 78(2) a provision in relation to third party data. Third party data are defined in the code of practice as data that a communications service provider is able to see

“in relation to applications or services running over their network…but does not process that communications data in any way to route the communication across the network”.

To its credit, the Home Office has been unequivocal that such third party data would not be covered in the Bill; the Home Secretary informed the House on 4 November 2015 that the Bill

“will not include powers to force UK companies to capture and retain third party internet traffic from companies based overseas”.—[Official Report, 4 November 2015; Vol. 601, c. 969.]

The draft code of practice for communications data states at paragraph 2.61:

“A data retention notice can never require a CSP to retain the content of communications or third party data”.

The overly broad definition of relevant communications data, which now extends to 16 different definitions and sub-definitions, could however be interpreted as giving the Secretary of State the power to require a communications service provider to retain third party data, since the definition does not expressly exclude third party data unless this amendment is agreed. There are currently no clauses in the Bill that explicitly state that communications service providers will not be required to retain third party data. That is the purpose of the amendment. Given that they have been so clear on the Floor of the House and in the code of practice that that is their intention, if the Government will not accept the amendment, the Minister must tell us why. Where we are dealing with such potentially intrusive powers, we must be as clear as possible.

Photo of Robert Buckland Robert Buckland The Solicitor-General

Amendment 306 is tabled, quite properly, to tease out from the Government the more detailed reasoning behind the important statement made by the Home Secretary on Second Reading. The hon. and learned Lady is quite right to refer to that statement. I once again reiterate the Government’s position that we will not be requiring the retention of third party data through these provisions.

The question is how best to achieve that; therein lies the tension. Attractive though the approach advanced by the hon. and learned Lady might be, there are some drafting issues and problems about legal certainty, which mean that putting those provisions in the Bill with suitable detail is problematic.

One of the main functions of the Bill—and one of my desiderata—is to ensure that it is resilient and stands the test of time. My concern is that if we end up with a definition that is too technologically neutral, it will either fail the test of time in this place, or be subject to challenge. As a Law Officer, legal uncertainty is something I have to take very seriously when considering how legislation is presented. That is why I commend the detailed provisions within the draft code of practice on third party data—paragraphs 2.68 to 2.72—that the hon. and learned Lady referred to. That is not only an explicit reiteration of our commitment but the sort of detail needed for those operating the provisions, which could not be properly put in the Bill.

It is generally well understood what third party data are, but perhaps I should briefly explain the important areas of detail that could not be covered on Second Reading. Where one communications service provider is able to see the communications data in relation to applications or services that run over their network, but does not process that communications data in any way to route the communication across the network, then that is regarded as third party data. For example, an email provider, such as Yahoo or Gmail, knows that a certain internet access service, such as BT Internet, was used to send email, but that fact is not needed or used to send it. So it is in everybody’s interest, not least that of the service providers themselves, that there is sufficient clarity about the data that can be retained under the provisions. As I have said, I think the code of practice is the right vehicle for this. It is also the appropriate vehicle for ensuring that there can be a sufficiently detailed definition of third party data for the reasons I have outlined. In those circumstances, I respectfully ask the hon. Lady to consider withdrawing her amendment.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I am not happy about withdrawing the amendment in the absence of elaboration of what the Solicitor General means by drafting issues and problems of legal certainty. I am not clear at the moment why we cannot have both the amendment and the further elaboration that will be provided in the codes of practice.

Amendment proposed to amendment 306: (a), leave out “notice” and insert “warrant”.—(Gavin Newlands.)

Question put, That the amendment be made.

The Committee divided:

Ayes 7, Noes 9.

Rhif adran 24 Christmas Tree Industry — Powers to require retention of certain data

Ie: 7 MPs

Na: 9 MPs

Ie: A-Z fesul cyfenw

Na: A-Z fesul cyfenw

Question accordingly negatived.

Question put, That amendment 306 be made.

The Committee divided:

Ayes 2, Noes 9.

Rhif adran 25 Christmas Tree Industry — Powers to require retention of certain data

Ie: 2 MPs

Na: 9 MPs

Ie: A-Z fesul cyfenw

Na: A-Z fesul cyfenw

Question accordingly negatived.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North 3:30, 19 Ebrill 2016

I beg to move amendment 317, in clause 78, page 61, line 34, leave out “(or description of operators)” and insert “or operators”.

Photo of Nadine Dorries Nadine Dorries Ceidwadwyr, Mid Bedfordshire

With this it will be convenient to discuss the following:

Amendment 315, in clause 78, page 61, line 37, leave out “(or description of operators)” and insert “or operators”.

Amendment 319, in clause 78, page 61, line 42, leave out “(or description of operators)” and insert “or operators”.

Amendment 328, in clause 79, page 62, line 33, leave out “(or description of operators)” and insert “or operators”.

Amendment 338, in clause 80, page 62, line 42, leave out subsection (3).

Amendment 361, in clause 83, page 64, line 16, leave out “(or description of operators)” and insert “or operators”.

Amendment 374, in clause 83, page 65, line 1, leave out “(or description of operators)” and insert “or operators”.

Amendment 375, in clause 83, page 65, line 8, leave out “(or description of operators)” and insert “or operators”.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

The SNP has tabled the amendments to provide for clear, appropriate and limited grounds on which data retention warrants may be issued. The amendments require that the data to be retained are specified and that organisations served with warrants to retain communication data should be identified rather than merely described.

Amendments 315 and 317 affirm that organisations that have been served a notice or warrant to retain the communications of their customers are properly and explicitly identified. The term “description of operators” is far too vague and we urge that it is changed to “or operators”. Amendment 328 ensures that those organisations are defined and named before a retention notice can be issued. Amendment 338 removes the possibility of the Home Secretary being able merely to describe the telecommunications operators that she wants to target. Amendments 361, 374 and 375 provide the basis for a concrete description to be included when there is any variation of a notice.

The amendments attempt to bring to the Bill some clarity, which is sadly lacking. It is not good enough that the Home Secretary can sign a notice that merely describes who is impinged on or directly affected by these intrusive powers, because that approach opens up the space for the powers to be abused. We need to act to ensure that, as much as possible, we operate a targeted approach.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I understand the purpose behind the amendment in that, in the opinion of the hon. Member for Paisley and Renfrewshire North, it would ensure greater specificity in the giving of notices. However, I shall give a brief example of what a “description of operators” might be. With this provision we would have been able to give the same retention notice to all wi-fi providers supplying wi-fi to the Olympic park in London during the 2012 Olympics. In these circumstances the operators are providing precisely the same kind of communications service and the data required to be retained is the same. Whether a notice relates to a description of operators or to a single operator, it can only contain what the Bill’s provisions allow and the Secretary of State must consult with the operators to which it relates. Operators also have the opportunity to refer the notice back to him or her in relation to any aspect of it. Therefore, on that basis, I invite the hon. Gentleman to withdraw his amendment.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I am content to withdraw the amendments at this stage. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I beg to move amendment 152, in clause 78, page 61, line 36, at end insert “, and

(c) only when approved by the Investigatory Powers Commissioner.

(5A) In deciding whether to approve a notice, the Investigatory Powers Commissioner must determine whether a notice is—

(a) that the conduct required by the notice is necessary for one or more of the purposes in section 53(7); and

(b) that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct.”

Photo of Nadine Dorries Nadine Dorries Ceidwadwyr, Mid Bedfordshire

With this it will be convenient to discuss the following:

Amendment 153, in clause 78, page 61, line 38, leave out “Secretary of State” and insert “Investigatory Powers Commissioner”.

Amendment 222, in clause 83, page 64, line 21, at end insert “and

( ) the variation has been approved by the Investigatory Powers Commissioner.”

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

For better or for worse, I spoke to these amendments during my submission on earlier amendments. I do not have any additional points and I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I beg to move amendment 320, in clause 78, page 62, line 13, leave out subsection (9) and insert—

“(9) In this Part ‘relevant communications data’ means—

(a) communications data of the kind mentioned in the Schedule to the Data Retention (EC Directive) Regulations 2009 (SI 2009/859), or

(b) relevant internet data not falling within paragraph (a).

(9A) In this part ‘relevant internet data’ means communications data which may be used to identify, or assist in identifying, the sender or recipient of a communication (whether or not a person).”

Thus far while debating the clause we have covered providing for the judiciary, in the shape of judicial commissioners, to issue data retention warrants rather than notices, and removing the Secretary of State from the role, making it clear on the face of the Bill who is eligible to apply for a warrant; limiting the grounds for the issuing of warrants; ensuring that all targets are identified and not described; and that the data to be retained should be specified. The fact that we in opposition have had to table so many amendments highlights the main problem in the drafting of the Bill: vagueness. The Bill is wholly lacking in specificity and clarity and nothing highlights that more than the issue of internet connection records.

As trailed by my hon. and learned Friend the Member for Edinburgh South West during the debate on clause 54, the SNP has significant reservations about the provisions on internet connection records as drafted in the Bill. Not only are the definition and legality of the provisions unclear, but the Government's case for ICRs has simply not been made. Amendment 320, which stands in my name and that of my hon. and learned Friend, would effectively remove ICRs from the Bill and replicate the Data Retention and Investigatory Powers Act 2014 in its original form, to ensure that the definition of “relevant communications data” is consistent with current legislation. That will help provide the legal certainty and clarity that the industry needs to understand its legal obligations appropriately. At the moment the industry is having difficulty in understanding what exactly the Government want and require it to do. Although the industry is willing to work with the Government to try to implement their vision for ICRs, it does not know what ICRs are, and it looks as though the Government do not altogether know either.

Despite the significance of ICRs, very little detail about them has been provided, with the Government consistently saying that the detail can be worked out later. That lack of clarity is simply not good enough when the Government are asking us to sign off on legislation that will have a significant impact on the industry and impinge significantly on the right to basic privacy that our constituents, quite rightly, expect. Indeed, the Internet Service Providers Association says:

“The Investigatory Powers Bill deals with highly complex technical matters, however, our members do not believe that complexity should lead to a Bill lacking in clarity.”

I could not agree more. As has been mentioned already, the clearest definition of an ICR is not in the Bill itself but in the document “Operational Case for the Retention of Internet Connection Records” from the Home Office. That describes ICRs as

“a record of the internet services that a specific device connects to – such as a website or instant messaging application – generated and processed by the company providing access to the internet.”

A concrete definition of what specific data form an ICR, exactly who has access, precisely what for and exactly who must retain the data must be on the face of the Bill.

The Home Office may want to have a “flexible” definition, as typified in clause 54(6), but given that we are dealing with a Bill that may have the biggest impact on civil liberties than any other Bill for generations, that simply will not cut the mustard. The Intelligence and Security Committee helpfully referred to ICRs as providing information on the “who, when and where” of someone’s internet use. The Government claim that they have no plans to acquire the content of the said communications, but DRIPA and RIPA suggest that that does not matter, given that acquiring the sort of information that is going to be held under an ICR can provide important details on the date, time, location and type of communication used. Liberty suggests that ICRs will provide a detailed and revealing picture of somebody’s life in the digital age. That point was highlighted by the Information Commissioner when he said that ICRs can reveal a great deal about the behaviours and activities of an individual. In fact, Stewart Baker, former senior counsel to the United States National Security Agency, stated that it

“absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”

Based on those statements alone, it is important to assess the proportionality and necessity of ICRs, but also question whether they are in accordance with the law. We live in a digital world and, quite rightly, our constituents place a lot of importance on their right to privacy as they use the internet. We accept that the security authorities need adequate powers to keep us safe and it is only proper that the Government consider what new powers they need for the digital age. However, like most people, I am deeply concerned about the complete lack of specifics about ICRs. In publishing such widely-drafted legislation and telling the sector that the detail will come shortly, the Government are asking us all to trust them. They are asking us, as Members of this House, to pass and approve legislation without knowing what its full impact, costs or consequences—unintended or otherwise—will be. In effect, they are asking us to sign a blank cheque on much of the communications data powers. Is that really a proper and effective way to devise and develop legislation that has such civil liberty repercussions?

The SNP is not opposed to certain authorities having the power to obtain communications data or internet connection information critical to their investigations. We fully accept that some power is not only necessary, but crucial, for law enforcement in the 21st century. However, rather than a blanket collection of the websites that everyone in the UK has visited in the last 12 months, we prefer a specific, targeted solution. We agree that intercepting someone’s communication data can be an important part of any criminal investigation and it is important that we do that for those suspected of being engaged in criminal activity. There is an obvious difference, though, in intercepting the communications of those suspected of criminal activity and those of the vast majority of our constituents, who are, by and large, law-abiding citizens.

The Government are asking companies to hold and retain information on all the internet sites that an individual visits. It is unclear how much information the Government want those companies to hold, but it is clear that it is going to be a huge amount of data and we still do not know about the feasibility or costs involved. The sort of information that the Government want companies to retain could be sites that the person has mistakenly accessed; it could be a website that the person has spent only a few seconds on; it could also be an internet site that a person has accessed for deeply personal reasons, such as receiving advice on domestic violence or on health matters. Putting the sensitivity and privacy argument to one side, we need to consider whether the Government are going to have too much information at their disposal and thus, inadvertently, make it harder for our security services to complete their investigations.

During the evidence session I made a point about mobile devices always being connected to the internet via various apps, following a similar point made by the hon. and learned Member for Holborn and St Pancras. Those applications are constantly creating ICRs and that will increase as phones become even more advanced and able to process more information more quickly, with bigger memories.

It is unclear how many automatic ICRs are being created by my phone alone, but the Government are demanding that the various communications companies retain these ICRs for a period of 12 months. Conversations with people in the industry have shown that companies have yet to figure out how they will separate the automatic data that are generated through a third-party app from the data that are generated manually by a user. According to the definitions in the Bill, both will generate the same data, showing that the user has accessed an app and recording the date, location, time and so on of that use.

Another industry expert told me that a single app could generate up to 100 ICRs per minute—that is just one single app. I am unsure of the figures for over here, but in America there is an average of 27 apps on every smartphone. If it is the same in the UK, and taking into account the average number of apps and possible connections, this could lead to 2,700 ICRs per phone per minute, or 100,000 ICRs per phone per day. Well over 3 million ICRs could be generated just by the phones in this room. The third party app issue has been raised by the industry time and time again, but it has not been properly addressed by the Government. In evidence given to this Committee, the CEO of BT security, which has been working with the Government, said in response to the third party app issue:

“We are considering whether to propose an amendment to the Home Office on the third party data question, which is the case in point here, and how that should be approached. We think that the principle is that other providers who have that data are the ones who should be subject to it, and that it should be explicit in the Bill”.

I then pressed him on whether at the moment the Bill was not clear enough on that aspect. He replied:

“It could be clearer, and we are thinking about proposing an amendment specifically to over-the-top providers, making it clear that they are responsible for that”.

I have to say, if BT are unsure who is involved, how are the rest of the industry supposed to know? We have to ask whether or not it is necessary or proportionate for the Government to have information and data on the apps that I or anyone else has on their phone. Given these points, among others, I can understand why so many people are calling ICRs a Home Office solution to a police problem, instead of being a police solution to a police problem. This point was articulated during the evidence session by Sara Ogilvie of Liberty, who said:

“It seems clear that, given the bulk nature of these powers, they will not deliver that kind of information in a helpful manner. If anything, it seems more likely to drive criminals to use bits of the internet that will not be captured by the service”.––[Official Report, Investigatory Powers Public Bill Committee, 24 March 2016; c. 49, 15.]

We also need to be mindful of the amount of information that we want to expose and the potential for this to be targeted by criminal hackers. When a similar plan to collect web logs was proposed in 2012, the Joint Committee on the draft Communications Data Bill concluded that it would create a

“honeypot for casual hackers, blackmailers, criminals large and small from around the world, and foreign states”.

This wealth of data in the wrong hands could be used for identity theft, scamming, fraud, blackmail and even burglaries, as connection records can show when internet access occurs in or out of the house, representing a daily routine. This is an unacceptable level of risk to inflict on innocent internet users. The Chair of the Science and Technology Committee said:

“There remain questions about the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers. The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals”.

Furthermore, not to be outdone, the Joint Committee tasked with scrutinising the draft Communications Data Bill said in its final report that,

“storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn”.

Surely with these warnings, which were issued by such influential and important Committees, the Government should have listened and addressed some of their concerns, but it would seem not. With regards to some of the case studies laid out in “Operational Case for the Retention of Internet Connection Records”, the likelihood of ICRs proving vital in identifying criminals has been questioned by ISPs and technologists. The justification for ICRs being helpful relies on the assumption that online criminals offend using a regular browser or public file sharing service on their own device, using personal internet connections, without employing the most basic of the widely available anonymity tools to avoid detection. The use of VPNs or Tor helps anonymise users of the internet. As such, ICRs will be unusable and, in fact, misleading where such privacy tools have been used. It is obvious for all to see that the more information that is retained, the greater the costs entailed to either the industry or the taxpayer.

When I spoke to people at TechUK last week, they explained that the introduction of ICRs will be a significant change to the industry and that all organisations will have to re-adapt to meet the new expectations and responsibilities that are being put on them. In addition, they are concerned about the new types of technology that they will need to install to allow them to cope with the new demands from Government. For example, they are concerned that many in the industry will have to install new filtering systems to help companies deal with the vast amount of data they now have to retain. It is difficult even to question the feasibility of such demands due to the limited information and detail provided by the Home Office.

The Home Office has said that companies will be reimbursed for the additional cost placed on them, but that commitment does not appear in the Bill. These companies, large and small, are being asked to make a significant investment into their operations and all they have from the Government is an IOU. They may have to invest significant capital in the event of this Bill passing; they will need something more concrete than an IOU from the Home Secretary. The Government have earmarked £175 million for a reimbursement fund to help these companies to meet the cost of their new responsibilities. However, most in the sector believe that that sum will barely scratch the surface. The Government need to understand what they are asking these companies to do and come up with a true reflection of what it will cost. The companies themselves estimate that the cost of implementing ICRs could reach over £1 billion. I accept that the Government do not want the industry to pick up the tab for these new costs, but it is unfair to demand a blank cheque from the taxpayer without being open and honest about the possible costs involved.

It is also important that we look at other places that have attempted to introduce similar powers, to find out whether we can learn any lessons from them. It is unfortunate that a similar scheme of logging data has recently been abandoned in Denmark. Before Government Members jump up and say that ICRs are different, as they have already said many times, I have to point out that their argument to substantiate that point and explain the difference has so far seemed to be “They just are”. Without clearly defining what ICRs will be and what will be held, it is impossible for the Government to argue that there is a vast difference in the two schemes. I accept that ultimately there may well be small differences, but we have to examine similar operations in the scrutiny of this one.

The Danish scheme operated for seven years, from 2007 to 2014, and on its abandonment the Danish security services expressed their difficulty making proper and effective use of the large amount of data that had been gathered. It seems that, instead of spending their valuable time locating criminals, the security services will spend most of their time working on spreadsheets and filtering out useless information from data that could be of use. It should also be noted that there have been claims that the Danish model was also proving to be too expensive and that the costs were spiralling out of control. The Danish telecommunications industry association has estimated that the initial investment costs alone for the Danish scheme would amount to 1 billion Danish kroner—a figure that has subsequently been confirmed by Ernst and Young, which was commissioned by the Danish Ministry of Justice.

We also need to consider why the United States—home of the Patriot Act, no less—is dismantling much of its intrusive powers and is going in the opposite direction to the UK. Australia also looked at a similar proposal but quickly learned that it would be a costly and ultimately ineffective way of tackling crime in a digital age. Instead of going out our way to implement these powers on our own, we should be working with the international community to see how we can implement more effective powers—for example, by incentivising the rollout of the IP address protocol IPV6, which would effectively allow any and all devices connected to the internet to have their own fixed IP address, thus taking IP address resolution problems out of the equation.

Lastly, the question whether the Bill is in accordance with the law is up for debate.

Sitting suspended for a Division in the House.

On resuming—

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

This is the first speech I have made in this place that has required an intermission. It has been suggested that I start from the beginning as I cannot remember where I had got to. I am nothing but a crowd pleaser, Ms Dorries, but I have found the place where I left off, so I shall continue.

I was saying that the question whether the Bill is in accordance with the law is up for debate. If this part is left unchanged, Liberty and others suggest that it will be in conflict with human rights law, including breaching the EU charter of fundamental rights and freedoms. In July 2015, the High Court upheld its challenge and struck down sections 1 and 2 of the Data Retention and Investigatory Powers Act 2014, finding them incompatible with the British public’s right to respect for private life and communications, and protection of personal data under articles 7 and 8 of the EU charter of fundamental rights.

In addition, we should be mindful that the challenge against DRIPA is ongoing and that the outcome will have an impact on whether this part of the Bill is lawful, although I suspect not. On that basis, I question whether ICRs will do the job the Government intend them to do. The Home Office has become entrenched with regard to ICRs and its fixation with them is clouding its ability not only to look at alternatives, but to assess whether ICRs are proportionate, necessary or in accordance with the law. The SNP believes that ICRs fail those three basic assessments.

I want to quote an unlikely ally, who, in 2009, said in Committee:

“Our consideration of the regulations comes against the backdrop of an increasingly interventionist approach by the Government into all of our lives, seemingly taking the maxim ‘need to know’ to mean that they need to know everything. Certainly, we need to know what the Government’s intentions are in relation to the creation of a new central database, which would create a central store of our electronic communications.”—[Official Report, Fourth Delegated Legislation Committee, 16 March 2009; c. 6.]

That ally was none other than James Brokenshire, now Minister for Immigration at the Home Office, speaking in a delegated legislation Committee on an EC directive with very similar provisions to parts of this Bill. That statutory instrument was passed by the House, but notable opponents included Members who are now Scottish Secretary, Home Secretary and Minister for Security—the Minister in charge of this Bill.

We in the SNP are mindful of the evidence that has been presented and submitted to the Committee, but it is our opinion, backed up by case law, that the power to retain ICRs is incompatible with the right to privacy and the protection of personal data, and I urge hon. Members to amend the Bill and ask the Government to think again.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I am grateful to hon. Members for this important debate, which, although it relates to an amendment, inevitably strayed into what is, in effect, the stand part debate on communications data.

The hon. Member for Paisley and Renfrewshire North set out his case comprehensively, but his arguments relate to measures and proposals that are not before the Committee. We have moved a long way from 2009, and certainly from 2012, when the original draft Bill was considered by a predecessor Joint Committee. We are not in the situation where the Government will hold a centralised database. That sort of measure was rightly opposed by my right hon. Friend the Minister for Immigration and other of my hon. Friends at that time, because we are naturally suspicious of an organ of Government directly blanket-holding such data.

That is why this provision is not remotely like that. It does not contain anything like the provisions that the hon. Gentleman rightly cautions against, most importantly because the retention of that data is not in the hands of Government. That arm’s length approach is a key difference, which I am afraid undermines all the seeming quality of his argument.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North

I thank the Solicitor General for giving way. Will the series of private databases under the Bill be any safer from hacking than a central Government database?

Photo of Robert Buckland Robert Buckland The Solicitor-General

The hon. Gentleman makes a proper point about security. This, in respect of the code of practice and in collaboration with the industry, will be at the forefront of everybody’s mind. What is important is that the Government do not have a pick-and-mix or help yourself avenue within which they can mine data for their own capricious purposes.

The framework of the Bill quite properly severely circumscribes the circumstances within which the Government can seek access to that material. Most importantly, when it comes to content, the warrantry system—the world-leading double lock system we are proposing—will apply. An internet connection record is not content; it is a record of an event that will be held by that telecommunications operator. It relates to the fact of whether or not a customer has connected to the internet in a particular way. If it goes further into content, the warrantry provisions will apply. It is important to remember that framework when determining, and describing and putting into context, what we are talking about. The Committee deserves better than indiscriminate shroud-waving about prospects and concerns that simply do not arise from the measures in the Bill.

The hon. Gentleman quite properly raised the Danish experience. The Danish Government and authorities are in regular conversation with the United Kingdom Government. That dialogue goes on because they are naturally very interested to see how our model develops, although there are important differences that should be set out briefly. The Danish legislation was not technology neutral, unlike these proposals, because it specified two options that proved unworkable. We work with operators case by case so that the best option for their network at the appropriate time will be determined. The Bill builds on existing data retention requirements, such as the retention of data necessary to resolve IP addresses, which regime already exists under the Counter-Terrorism and Security Act 2015. The full cost recovery underpinning by the Government means that there is no incentive for communication service providers to cut corners, as I am afraid happened in Denmark. There are important differences between the two.

The hon. Gentleman rightly talks about IPV6. Although it is a great aim and something that all of us who have an interest in this area will have considered carefully, it still is, with the best will in the world, a way away, I am afraid. It will take a long time for all service providers to implement in full, and until then, there will be both types of system. Even with IPV6, CSPs may choose to implement address sharing or network address translation, meaning that it is not the guaranteed solution that perhaps has been suggested. Servers who host illegal material are much less likely to move to that system, meaning that, in practice, IPV4 may well remain with us. We therefore have to act in the interim, because, as has been said, the drift away from what I have called conventional telecommunications to the internet carries on whether we like it or not. We have to face up to the world as it is, rather than the world as we would love it to be, and therefore take into account the fact that we are in danger of being unable to detect criminality and terrorism.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

The Solicitor General says we have to face up to the world as it is. Why is it, then, that no other democratic nation in the world is implementing legislation of this sort?

Photo of Robert Buckland Robert Buckland The Solicitor-General

The hon. and learned Lady has asked that question before, and I have said to her before that somebody has to step up, try it and make that change. I am proud that the United Kingdom is prepared to do that, as we have done it in so many ways.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Is the Solicitor General aware that it is not that other countries have not looked at the problem? They have looked at the problem and decided that this is not the way to solve it.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I am afraid I do not agree with the hon. and learned Lady. What they have looked at is the sort of centralised, Governmental-based database that all of us have quite properly rejected. They are looking with interest to see how this particular proposal develops, bearing in mind that it has now been refined through many Committees of the House. Accordingly, I think what we are doing is innovative, world leading and, with its technology-neutral approach to the definitions, striking the right balance.

The problem with the amendment as I see it is not only that it is technically deficient, but that, on close reading, it does not exclude the retention of internet connection records, because it talks about the sender and recipient of communications, which is either end of the communication we are talking about when it comes to ICRs. Let us assume that that is an error. Even if we consider its intention at face value, the problem with going back to the 2009 regulations is that we are returning to the language of dial-up—the sort of non-broadband, non-mobile internet access we were all used to 15 years ago, but which now belongs in a museum. If we imprison ourselves in that sort of language, the danger that I have outlined becomes very real.

What next? Are we going back to the telex or the marconigram? We have to make sure that the language of the Bill keeps pace with the breathtaking scale of technological change. In the words of the hon. Member for Paisley and Renfrewshire North, the amendment just does not cut the mustard and I urge that it be withdrawn.

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North 4:15, 19 Ebrill 2016

I hear what the Minister has to say but I am not assuaged by his comments, so this shroud-waver would like to press the amendment to a vote.

Question put, That the amendment be made.

The Committee divided:

Ayes 2, Noes 9.

Rhif adran 26 Christmas Tree Industry — Powers to require retention of certain data

Ie: 2 MPs

Na: 9 MPs

Ie: A-Z fesul cyfenw

Na: A-Z fesul cyfenw

Question accordingly negatived.

Clause 78 ordered to stand part of the Bill.

Clause 79